Get the email address from the forgot-password request.Ģ. If there was a match, GitHub would send the reset password link to the email address provided by the attackerġ. > GitHub's forgot password feature could be compromised because the system lowercased the provided email address and compared it to the email address stored in the user database. I want to note a separate issue of defensive coding that comes up in the writeup: I would go as far as blaming our overreliance on strings for all the injection attacks we see (XSS, SQL, command, etc). Two visually identical file names may map to different files (because confusables), or two different names map to the same file (because normalization), or the ".jpg" at the end may not actually be the extension (because right-to-left override), not to mention names with newlines or backspaces in them, and inconsistencies between operating systems. It's scary how much of our infrastructure relies on strings, given how few guarantees string operations actually give. I now see any other string operation as code smell. I love Unicode, but I'm more and more coming to the conclusion that strings are evil and should be treated as opaque byte arrays, whose only available operation is rendering into a bounded area.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |